Bounty Hunters Find 100K+ Bugs Under HackerOne Program in 2018

Organizations signed up with the vulnerability disclosure platform shelled out a record $19 million for bug discoveries in their systems.

Security researchers from around the world last year reported over 100,000 valid vulnerabilities in software and systems belonging to organizations signed up with the HackerOne crowdsourced vulnerability disclosure platform.

Together the researchers earned more than $19 million in bounties in 2018 — or nearly the same amount as the combined total paid out to hackers over the past six years under the HackerOne program.

A survey-based report that HackerOne released Friday shows the number of white-hat hackers registered under the program doubled year over year to 300,000. Hackers from the US and India alone accounted for some 30% of the total and were once again among the top earners in the HackerOne community as in previous years.

However, the number of ethical hackers signing up from other countries, most notably from Africa, grew dramatically last year as well. In total, at the end of 2018, HackerOne had security researchers from as many as 150 countries registered for the program.

"One of the most striking takeaways from this year’s survey is the international growth in the number of bug-bounty hackers," says Luke Tucker senior director of community and content at HackerOne. "India and the US remain the top hacker locations year over year, but their majority is decreasing as hackers across the globe sign up for bug-bounty programs."

The data is the latest to highlight the growing influence of crowdsourced bug-bounty programs in vulnerability discovery and remediation. HackerOne, like other bug-bounty platforms such as Bugcrowd and Synack, uses crowdsourced ethical hackers from around the world to help clients discover security vulnerabilities in their systems.

In recent years, thousands of private- and public-sector organizations have signed up with such platforms in a bid to uncover security vulnerabilities they might have missed otherwise. Last year, bug-bounty programs accounted for some 8% of all publicly disclosed vulnerabilities — up substantially from 5.8% in 2017, according to a recent report from Risk Based Security. In fact, the SECURE Technology Act (HR 7327), which President Trump signed into law last December, even authorizes the US Department of Homeland Security to establish a program that will let ethical hackers report bugs in federal government systems.

HackerOne's data shows that American and Canadian organizations are the most active users of such programs, at least based on share of bounties paid so far. They are followed by entities in the UK, Germany, Russia, and Singapore.

US government organizations have been especially enthusiastic users of the program, Tucker says. "In the realm of hacker-powered security, governments and government agencies are decidedly progressive on their use and promotion of this proven approach to cybersecurity," he says.

Tucker points to US Department of Defense programs, such as Hack the Pentagon and Hack the Army, which are conducted in partnership with HackerOne, as examples of the types of initiatives government organizations are taking with the crowdsourced vulnerability model.

It's not just enterprise organizations that are benefiting from the programs. Bug-bounty platforms are proving to be a very effective way for countless independent ethical hackers around the world to monetize their enthusiasm for bug hunting, as well.

Some top hackers in HackerOne's programs are making 40 times the median annual wage for security engineers in their home countries, according to the company. In the US, top earners last year made over six times the median annual salary of a software engineer based on salary estimates derived from PayScale.

A few researchers in the HackerOne program earned as much as $100,000 for disclosing a single critical bug. One hacker became the first under the program to top $1 million in bug bounties. Dozens of HackerOne clients also have hired security researchers they met through the program.

"We found that bug-bounty hackers are not in it just for the money, but we know those that are can make an impressive living," Tucker says.

Bug-bounty programs offer competitive rewards but are not focused on competing with other markets on price alone, he says. Bug discoverers can sometimes make substantially more money sharing their information with so-called gray market buyers, which can include intelligence agencies and government.

"[But] the hackers that report vulnerabilities to bug-bounty programs are in it for the resume they can build, the relationships, the challenge, and the recognition," Tucker says. "You lose all of this and gain a lot of uncertainty with other markets."

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.

It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.

** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of st...

** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue.